Open PaaS
Updates

Changelog

Track technical improvements, feature additions, and fixes deployed to the control plane.

Changelog

All notable changes to the Open PaaS project will be documented in this file.

[1.4.1] - 2026-06-17

Fixed

  • CSRF Token Cookie Propagation: Corrected the Set-Cookie parsing regex within the server-side fetch proxy (fetchBackend) to properly support space-separated header values (, ). This ensures the csrf_token cookie is correctly parsed, stored in the browser, and sent back in headers for mutating requests, resolving persistent 403 CSRF verification errors.
  • Environment Variable (.env) Injection: Configured the container build engine to dynamically generate a .env file containing all user-configured and platform-injected environment variables in the build workspace (sourceDir) before building the container image. This fixes deployment crashes for PHP and Node.js applications that strictly expect a .env file on disk.
  • Error Response Extraction: Enhanced frontend server-side handlers to properly parse and extract nested messages from the NestJS global exception wrapper, showing detailed error descriptions in toast notifications rather than generic fallback alerts.

[1.4.0] - 2026-06-16

Added

  • Edge-Level DDoS & Bot Protection: Implemented comprehensive edge proxy hardening with global rate limiting (30r/s per IP with burst=50), concurrent connection throttling (30 conn/IP), and DDoS timeout tuning (10s client body/header/send timeouts, 15s keepalive).
  • Dynamic Lua Bot Blocker Module: Created a reusable OpenResty Lua module (bot_blocker.lua) that pattern-matches User-Agent strings against a blacklist of known vulnerability scanners and scrapers (TLM-Audit-Scanner, l9explore, sqlmap, nikto, wpscan, MJ12bot, AhrefsBot, SemrushBot, DotBot, PetalBot, python-requests). Blocked requests receive an immediate 403 Forbidden at the edge without touching backend containers.
  • Scanner Path Protection: Added Nginx location blocks to intercept and deny access to sensitive probing paths (.env, .git/config, .env.production, .env.local, wp-config.php, composer.json, package.json, etc.) with access logging disabled to reduce noise.
  • Threat Analysis Report: Conducted a full traffic log analysis of the OpenResty proxy, identifying top traffic-consuming IPs, malicious User-Agents, and scanner probing patterns. Documented findings in a structured threat report.
  • Cloudflare Real IP Resolution: Integrated all current Cloudflare IPv4 and IPv6 ranges into Nginx set_real_ip_from directives with CF-Connecting-IP header extraction for accurate per-client rate limiting behind the CDN.
  • Security-Enriched Access Logs: Extended the Nginx log format to capture Cloudflare-specific headers (cf_ip, cf_ray, cf_country, cf_visitor, true_client_ip) for forensic analysis and DDoS attribution.

Changed

  • Bot Blocker Architecture: Migrated User-Agent blacklisting from static Nginx map variables (which suffered lazy evaluation issues when location blocks or OpenResty Lua handlers bypassed server-level if blocks) to a dynamic Lua module loaded via require("bot_blocker").check(). This ensures 100% reliable execution in the request access phase.
  • Cleaned Up Nginx Configuration: Removed the deprecated $blocked_bot map from nginx.conf, removed server-level if ($blocked_bot) blocks and debug headers (X-Blocked-Bot) from prod.conf, and wired the Lua bot blocker into both the platform frontend and dynamic app routing server blocks.

Fixed

  • Custom Domain Image 403 Diagnosis: Identified that 403 Forbidden errors on static assets (images, favicon) for custom domains (e.g., campuscapitalpro.com) were caused by Cloudflare Hotlink Protection on the useveris.xyz zone — not by OpenResty. The Referer header from a custom domain doesn't match the zone origin, triggering Cloudflare's block. Fix: disable Hotlink Protection in Cloudflare Scrape Shield settings.

[1.3.0] - 2026-06-15

Added

  • Accurate Build Benchmarks: Replaced mutable build duration tracking with actual startedAt and completedAt database timestamps and a persistent buildPhases JSON column storing precise durations for each pipeline step (extract, port allocation, docker build, cleanup, edge routing).
  • Live Container Resource Telemetry: Expose real-time container CPU usage, RAM consumption, network I/O, disk block I/O, and active process count (PIDs) via /deployments/:id/stats (running docker stats --no-stream under the hood).
  • Full-Stack Meta-Framework Detection: The engine now auto-detects SSR frameworks (TanStack Start, Next.js, Nuxt, Remix, SvelteKit, SolidStart, and Qwik City) by parsing package.json dependencies and routes them to Node.js environments instead of Nginx static serving.
  • Upload Progress Trackers: Integrated an upload progress indicator and custom linear progress bars displaying upload percentage (uploadProgress) in both the app creation modal and the deployment log terminal.

[1.2.0] - 2026-06-08

Added

  • Host System Observability Metrics: Upgraded health telemetry with full-host metrics (CPU usage percent, memory breakdown in bytes, load averages, host uptime, platform context, and active workload counts).
  • Frontend Observability Grid: Transformed dashboard metrics into a responsive 4-column panel displaying workloads, host CPU, host RAM, and API V8 heap usage.
  • Provider Streaming Logs Unit Tests: Covered the streamLogs functionality in the DockerProvider and RunnerService test suites to ensure robust real-time log pipelines.
  • Cloudflare Edge Log Integration: Enriched Nginx/OpenResty edge access logs to log original visitor headers (CF-Connecting-IP, CF-Ray, CF-IPCountry, CF-Visitor, True-Client-IP) to track request context and detect DDoS patterns.
  • Cloudflare Real IP Resolution: Integrated automatic client IP restoration across Nginx server blocks using official Cloudflare IP ranges.
  • Attack Header Retention: Explicitly enabled processing of underscores and malformed headers during network/DDoS attacks via Nginx core directives.

Changed

  • Zero-RAM Multipart Streaming: Migrated file uploads in DeploymentController to save incoming zip packages directly to temporary directory paths on disk using Multer disk storage config, bypassing Node process buffer memory limitations.
  • Streamlined Cleanup: Improved cleanups to garbage collect temporary file paths after deployment queue submission, pre-detection processing, and unzipped package source directories after building finishes.
  • Removed Hardcoded Production Secrets: Cleaned up deploy.sh and compose.prod.yaml of all hardcoded credentials. The deploy script now automatically generates high-entropy passwords (openssl rand -hex 24) for Postgres and Redis dynamically inside ~/paas/.env on the target VPS, configures the database user defaults to prod_app, automatically symlinks control-plane/.env to it, and lets Docker Compose load variables automatically without manual parameter flags.
  • Database Schema Migration Fix: Created the missing SQL migration for the build_duration column in the deployments table, resolving database update crashes that caused builds to hang indefinitely in BUILDING state. Added automated prisma generate triggers in the local build script.

[1.1.0] - 2026-06-06

Added

  • Build Duration Tracking: Measures deployment build times in seconds and stores them on the Deployment database records.
  • Container Log Streaming (SSE): Added a real-time Server-Sent Events stream for running container console outputs (stdout/stderr) at GET /deployments/:id/container-logs/stream.
  • HTTP Access Logs Filter: Added regex-based query parameter logging filter (?type=http) to stream container logs containing web server and application HTTP traffic.
  • Global Dashboard Logs Feed: Introduced an aggregated telemetry log feed at GET /observability/logs/stream that streams logs from all currently active containers.
  • Retro Matrix Terminal Styling: Re-designed all log display viewers to look like classic green-on-black phosphor CRT monitors using customized glowing text styling and a scanline overlay pattern.
  • App Detail Tab Switcher: Users can now toggle between "Build Logs" and "Live Logs" with Console/HTTP filtering options dynamically on the App Details page.

Changed

  • Database Schema: Modified Deployment model to add an optional buildDuration integer field.
  • OpenResty Proxy Configuration: Handled domain routing maps and upstream resolution using dynamic Lua Redis routing mappings.

[1.0.0] - 2026-06-06

Added

  • Initial Release: Minimalist Control Plane NestJS API backbone and TanStack Start frontend app.
  • Runtime Auto-Detection: Support for detecting Node.js and PHP architectures automatically from uploaded packages.
  • Live Build Logs (SSE): Event-driven build log streaming directly to client consoles without database polling loops.
  • UX Overhaul: Rebuilt the app creator flows into a clean 3-step Deploy Modal modal.